QRadar SIEM Tutorial

What is QRadar?

IBM Security QRadar SIEM (Security Information and Event Management) is a network security management platform that provides situational awareness and compliance support.

The system utilizes a coalescence of flow-predicated network compliance. QRadar also correlates security events and asset-predicated susceptibility assessment. The SIEM device alerts about suspicious activities and enables security analysts to investigate them. Important to notice is, that while QRadar SIEM alerts designated people about suspicious activities, it does not respond automatically. It expects the human input and their investigation before any action made. Thus, this prevents from many false positive alerts. For example, QRadar SIEM can detect services then confirm that they are an attack target, but it does not change the configuration or shut down these services. Such automatic changes could cause unwanted system outages. Therefore the better approach is when an administrator needs to create a rule, which will respond in an expected way for the issue. QRadar SIEM helps any organization to find attacks and policy breaches.

QRadar SIEM capabilities

The key capabilities of this top SIEM product (according to Gartner) are:

  • Scalable architecture to support the largest deployments.
  • Ability to process security data from a lot of sources, such as Firewalls, utilize directories, Proxies, Applications, Routers
  • Collection, normalization and correlation. It can also secure storage of raw events, network flows or assets.
  • Layer 7 payload captures up to a configurable number of bytes from unencrypted traffic. By default, QFlow captures the first 64 bytes of unencrypted layer 7 payloads. The user interface exhibits these bytes without further decoding. Payloads from encrypted traffic are not captured.
  • Comprehensive search capabilities
  • Monitor host and network changes that could demystify the attacker or show the policy breach. For example, the off-hours use or employer policy breaking use of an application. Other examples could be a network activity patterns not matching with historical profiles. The SIEM can also check for suspected attacks or any other policy breaches.
  • Notification by email, SNMP, and others
  • Many generic reporting templates included
  • Scalable architecture to fortify astronomically immense deployments
  • Single interface
  • Provides reliable, tamper-proof log storage for forensic investigations. The QRadar SIEM used for keeping evidences enables you to reduce the time gap between security incident occurrence and its detection.
  • Provides reporting templates to meet working and compliance requisites
  • Puts security-relevant data from many sources  and in context with each other
  • Alerts of suspicious activities and policy breaches in the IT environment
  • Provides deep visibility into network and application activity
  • Identifying suspected attacks and policy breaches

QRadar SIEM use

  • Where should the investigation be focused on?
  • How is the assailant penetrating the system?
  • Is the suspected attack or policy breach authentic or a false alarm?
  • Who is attacking?
  • What is being under attack?
  • What is the security impact?
  • When are the attacks taking place?

To help SOC analysts, QRadar SIEM correlates information like:

  • The point of issue
  • Offending users
  • Origins
  • Targets
  • Vulnerabilities
  • Asset information
  • Known threats